In my experience advising clients, there are some expedient tactics that can quickly be applied to addressing 'Inappropriate Use of Substitution Syntax' errors spotted by APEX Advisor. The below decision tree, hopefully, addresses 90% of situations. The main take-away from the below is that 90% of your SQL Injection vulnerabilities will take care of themselves if you simply lean in to APEX's handy declarative report-building / link-building utilities.

You are building a URL in the database (say, a package) and you need to pass in some APEX substitution values, like the session id.

You can reference APEX substitution values with the syntax : v(‘APP_SESSION’) for e.g.

You are using a ‘select list’ in APEX to set a value and redirecting to another page.

You will have to make the item you are setting unrestricted on the destination page.

You are using Ajax calls in APEX to set values to page/app items.

The items on the destination page must be set as ‘unrestricted’.

Final words on SQL Injection

Avoidance Strategies:

Strategy

Description

Use bind arguments

Parameterize queries using bind arguments. Not only do bind arguments eliminate the possibility of SQL injection, they also enhance performance.

Avoid Dynamic SQL with concatenated input

E.g.: EXECUTE IMMEDIATE 'DROP TABLE ' || 'emp_' || loc;

Filter and sanitize input

The Oracle-supplied DBMS_ASSERT package contains a number of functions that can be used to sanitize user input and to guard against SQL injection in applications that use dynamic SQL built with Concatenated values.